This raises an issue in any environment where local DNS resolution is needed; i.e. active-directory (AD) domain environments. In a typical AD environment there are at least two domain controllers (DC) that fulfill DNS resolution for local domain endpoints. DNS on these DCs is then configured with Forwarders so public DNS resolution can be fulfilled.

Here are a couple ways to utilize Pi-hole and Cloudflared, I’ll call it Pi-flared, to reap the benefits of DoH for public DNS resolution and still use our DCs for local DNS resolution.

Option 1

AD DNS servers, or DCs, have the Pi-flared DNS server(s) configured as Forwarder(s).

Cons: Since all DNS queries are going to the DCs first, Pi-hole’s query logs will only show the requests as forwarded from the DCs; i.e. granular, per-user metrics will not be available, via Pi-hole anyways.

Option 2

(My preference) Clients are configured with the Pi-flared server(s) for DNS, the Pi-flared servers are then configured with domain-specific servers for local lookups.

Pros: Pi-hole’s query logs will now show requests from every host on the network.

Cons: Reconfiguration of static clients and DHCP scope or server options to define the Pi-flared DNS server(s) for DHCP clients. This will provide the granular, per-user metrics that I want to see in Pi-hole’s admin interface.

Process Order

The steps below require root privs, you will need sudo privileges if you’re logged in as a different user.

Install Ubuntu Mate on your Pi

Install Pi-hole

This command is straight from Pi-hole’s site, where they advise that piping to bash can be dangerous and suggest that you review the code and run the installer locally.

curl -sSL https://install.pi-hole.net | bash

Install Cloudflared

Full disclosure, the steps below are almost directly borrowed from Ben Dew’s DNS Over HTTPS post that I followed to get my Pi-hole/Cloudflared environment setup. I’m merely sharing my version of the deployment.